This documentation is no longer maintained and exists for historical purposes. The current documentation is located at http://suricata.readthedocs.io/.
High Performance Configuration¶
If you have enough RAM, consider the following options in suricata.yaml to off-load as much work from the CPU's as possible:
detect-engine:
- profile: medium
- custom-values:
toclient-src-groups: 200
toclient-dst-groups: 200
toclient-sp-groups: 200
toclient-dp-groups: 300
toserver-src-groups: 200
toserver-dst-groups: 400
toserver-sp-groups: 200
toserver-dp-groups: 200
- sgh-mpm-context: auto
- inspection-recursion-limit: 3000
Be advised, however, that this will require >= 32 GB of RAM for even modestly sized rule sets. Also be aware that having additional CPU's available provides a greater performance boost than having more RAM available. That is, it would be better to spend money on CPU's instead of RAM when configuring a system.
As a rough benchmark, in an HTTP-rich traffic stream, the full Emerging Threats rule set will require roughly one CPU per 50 Mb/sec of traffic when using "low" memory settings and using PF_RING to ensure there are no traffic drops.
Here are the build in values for LOW/MEDIUM/HIGH profiles:
ENGINE_PROFILE_LOW:
toclient-src-groups: 2
toclient-dst-groups: 2
toclient-sp-groups: 2
toclient-dp-groups: 3
toserver-src-groups: 2
toserver-dst-groups: 4
toserver-sp-groups: 2
toserver-dp-groups: 25
ENGINE_PROFILE_HIGH:
toclient-src-groups: 15
toclient-dst-groups: 15
toclient-sp-groups: 15
toclient-dp-groups: 20
toserver-src-groups: 15
toserver-dst-groups: 15
toserver-sp-groups: 15
toserver-dp-groups: 40
If not provided:
default and MEDIUM profiles:
toclient-src-groups: 4
toclient-dst-groups: 4
toclient-sp-groups: 4
toclient-dp-groups: 6
toserver-src-groups: 4
toserver-dst-groups: 8
toserver-sp-groups: 4
toserver-dp-groups: 30
locked